Systems and methods for facilitating mobile transactions

ABSTRACT

The invention relates to a method for enabling the user of at least one mobile terminal to access one or more of a plurality of services corresponding to a published tag by receiving published tag data and user identification data corresponding to a user who scanned the published tag and determining whether the services corresponding to the published tag data is available for users. A unique key is generated for the user, which may be provided to the user&#39;s mobile device and is indicative of the scanned published tag. The user may then present the unique key at a user terminal to obtain access to the one or more services. Moreover, because each unique key is specific to a user and/or a mobile device, a centralized secure management entity may log usage statistics of the published tags for later reference by the user.

CROSS-REFERENCE TO RELATED APPLICATIONS

This patent application claims priority to provisional patentapplication Ser. No. 62/090,228 filed Dec. 10, 2014, which isincorporated herein by reference in its entirety.

FIELD

The present application relates to systems and methods for enablingusers of a mobile device to access one or more services.

BACKGROUND

During the last decade, telephones and other mobile devices have assumedan increasingly important place in everyday life. The rise in popularityand prevalence of these devices have led to increased levels of mobiledevice-specific advertising across mobile-device specific platforms aswell as countless applications and ways in which users of mobile devicesengage in everyday activities, including purchasing goods and/orservices, riding transportation, accessing venues, sharing information,and/or the like.

Mobile devices may commonly be used for making traditional phone calls,may be used to access a variety of multimedia content, and may be usedfor identifying and validating the user in a mobility situation (street,stores, airports, etc.).

As a non-limiting example, discount coupon codes may be displayed andutilized on a mobile device (e.g., a discount on a product purchase),tickets may be generated, displayed, and validated from a mobile device(e.g., transportation tickets, concert tickets, cinema tickets, otherevent tickets, and/or the like). Moreover, loyalty programs (e.g.,retail store specific loyalty card programs) and payment systems (e.g.,credit card payment systems) may be presented and utilized viainformation displayed on a mobile device.

However, existing systems require substantial communication between themobile device and a centralized server in order to transmit data relatedto a particular service (e.g., discount coupon usage, ticketing usage,physical entry, payment usage, and/or the like). Accordingly, the use ofsuch existing technology is limited by the availability andfunctionality of a network connection between the mobile device and thecentral server.

Furthermore, existing systems may have a security level that isinadequate for limiting fraud, and may prevent accurate accounting andmanagement of the use of various services or published tags by users.Accordingly, a need exists for systems and methods enabling securemanagement of data indicative of uses of mobile device enabled systemsproviding verification of a user's identity without requiring the user'smobile device to be in connection with a central server.

BRIEF SUMMARY

Various embodiments provide secure systems and methods for exchangingverified user data between a mobile device and a centralized securemanagement entity without requiring a networked connection between thesedevices. The mobile device may be paired with the secure managemententity such that each device anticipates information to be passedtherebetween, even without requiring a direct networked connection.Thus, a key or token (e.g., a bar code, Quick Response code, RadioFrequency Identifier, alphanumeric code, data token, unique identifierdata, audio identifier, image, and/or the like) may be generated on themobile device without a network connection, and this key may bepresented to a user terminal (e.g., a Point of Sale terminal, kiosk,turnstile, web-based ecommerce server, and/or the like) which is incommunication with the secure management entity. Because the securemanagement entity and the mobile device are paired, the securemanagement entity anticipates at least a portion of the data included inthe key (or token) generated by the mobile device, such that theidentity of the mobile device, and by association the identity of theuser may be verified. Moreover, because each key comprises data uniqueto each user, the use of each key may be logged to manage the usage ofeach key.

Various embodiments are directed to a computer-implemented methodenabling access to one or more services. In various embodiments, themethod comprises steps for: receiving published tag data and useridentification data, wherein the published tag data corresponds to oneor more services offered to users; determining whether the servicescorresponding to the published tag data is available for users;generating a unique key comprising data indicative of the published tagdata and data indicative of the user identification data; andtransmitting the unique key to a mobile device of a user, wherein themobile device is configured to provide the unique key upon receipt of arequest to access the one or more services corresponding to thepublished tag.

In various embodiments, the method further comprises steps for:receiving the unique key during a request to access the one or moreservices; decoding data contained in the unique key; and enabling or notenabling the user to access the one or more services according to thedecoded data. Moreover, the published tag data and the useridentification data may be received from the mobile device of the user,and the published tag data may be scanned by the mobile device. Incertain embodiments, the unique key is selected from the groupconsisting of: an image, a sound, a Near Field Communication datasignal, or a string of alphanumeric characters. Moreover, in variousembodiments, generating the unique key comprises encrypting at least aportion of the data contained in the unique key. In certain embodiments,encrypting at least a portion of the data contained in the unique keycomprises applying a public key encryption algorithm. Moreover, the useridentification data may comprise a software application identifierassociated with the mobile device. In various embodiments, determiningwhether the services corresponding to the unique key are availablecomprises comparing attributes of the request to access the one or moreservices against requirement data associated with the one or moreservices. Moreover, the attributes of the request to access the one ormore services may comprise at least one of: a time of the request, anumber of times the one or more services have been accessed, or a numberof times the user has requested the one or more services.

Various embodiments are directed to a system for enabling access to oneor more services. In various embodiments, the system comprises: one ormore memory storage areas; and one or more computer processors. The oneor more computer processors may be configured to: receive published tagdata and user identification data, wherein the published tag datacorresponds to one or more services offered to users; determine whetherthe services corresponding to the published tag data is available forusers; generate a unique key comprising data indicative of the publishedtag data and data indicative of the user identification data; andtransmit the unique key to a mobile device of a user, wherein the mobiledevice is configured to provide the unique key upon receipt of a requestto access the one or more services corresponding to the published tag.In various embodiments, the one or more computer processors areadditionally configured to: receive the unique key during a request toaccess the one or more services; decode data contained in the uniquekey; and enable or not enabling the user to access the one or moreservices according to the decoded data. In various embodiments, thepublished tag data and the user identification data are received fromthe mobile device of the user, and wherein the published tag data isscanned by the mobile device. Moreover, the unique key may be selectedfrom the group consisting of: an image, a sound, a Near FieldCommunication data signal, or a string of alphanumeric characters. Invarious embodiments, generating the unique key comprises encrypting atleast a portion of the data contained in the unique key. Moreover,encrypting at least a portion of the data contained in the unique keymay comprise applying a public key encryption algorithm. In certainembodiments, the user identification data comprises a softwareapplication identifier associated with the mobile device. Moreover,determining whether the services corresponding to the unique key areavailable may comprise comparing attributes of the request to access theone or more services against requirement data associated with the one ormore services. Moreover, in various embodiments, the attributes of therequest to access the one or more services comprise at least one of: atime of the request, a number of times the one or more services havebeen accessed, or a number of times the user has requested the one ormore services.

Certain embodiments are directed to a computer program productcomprising at least one non-transitory computer-readable storage mediumhaving computer-readable program code portions stored therein. Invarious embodiments, the computer-readable program code portionscomprise: an executable portion configured to receive published tag dataand user identification data, wherein the published tag data correspondsto one or more services offered to users; an executable portionconfigured to determine whether the services corresponding to thepublished tag data is available for users; an executable portionconfigured to generate a unique key comprising data indicative of thepublished tag data and data indicative of the user identification data;and an executable portion configured to transmit the unique key to amobile device of a user, wherein the mobile device is configured toprovide the unique key upon receipt of a request to access the one ormore services corresponding to the published tag.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

Reference will now be made to the accompanying drawings, which are notnecessarily drawn to scale, and wherein:

FIG. 1 is a block diagram of a system according to various embodiments;

FIG. 2A is schematic block diagram of a server according to variousembodiments;

FIG. 2B is schematic block diagram of an exemplary mobile deviceaccording to various embodiments;

FIG. 3 schematically illustrates the context of various embodiments, ina particular embodiment;

FIG. 4 is a flow diagram representing a particular embodiment of anaccess method according to the invention; and

FIG. 5 illustrates a particular embodiment of a secure management devicefor a software application, according to the invention.

DETAILED DESCRIPTION

The present invention will now be described more fully hereinafter withreference to the accompanying drawings, in which some, but not allembodiments of the invention are shown. Indeed, the invention may beembodied in many different forms and should not be construed as limitedto the embodiments set forth herein. Rather, these embodiments areprovided so that this disclosure will satisfy applicable legalrequirements. Like numbers refer to like elements throughout.

Various embodiments of the present invention are directed to a systemfor facilitating mobile transactions. In various embodiments, mobiletransactions may be facilitated by enabling the transfer andverification of changing information between a mobile device and asecure management entity without a direct network connection between thedevices. In various embodiments, the mobile device may be configured togenerate a unique key (e.g., a bar code, Quick Response code, RadioFrequency Identifier, alphanumeric code, data token, unique identifierdata, a sound, an audio identifier, an image with a watermark an imagewithout a watermark, a three-dimensional image, a hologram, and/or anyother publishable and/or transmitable data) comprising data identifyingthe mobile device and by association the user of the mobile device. Thisunique key may additionally comprise data specific to a particularservice requested by the user, such as a request to apply a discount toa purchase, a request to complete a purchase using a particular account,a request to validate entry into an event and/or a transportationservice, and/or the like. In various embodiments, the mobile devicegenerates the unique key without an open line of communication (eitherdirect or indirect) with a secure management entity, thereby operatingindependently and without any external intervention from, for example, asecure management entity, to create the unique key. However, the securemanagement entity may be configured to anticipate at least a portion ofthe data included in the key generated by mobile device withoutrequiring a direct network connection therebetween. Moreover, in variousembodiments, the secure management entity may generate the unique key orat least a portion of the data to be included in the unique key, and maytransmit the generated data to the mobile device for storage thereon.The mobile device may then later access the generated unique key withoutan open line of communication with the secure management entity.

Accordingly, the mobile device may present the unique key to a localcomputing device (e.g., a local computing system, a user terminal, aPoint-of-Sale (POS) terminal, a turnstile, a web-based ecommerce server,another mobile device, and/or the like) during a transaction, and thelocal computing device may subsequently transmit the key to the securemanagement entity for validation (e.g., via wired and/or wireless formsof communication). Upon receipt of the unique key from the localcomputing device, the secure management entity may verify the user'sidentity based on at least a portion of the data included in the uniquekey, decrypt the remainder of the unique key to determine which servicesare requested, transmit a request for verification of the services toone or more entities based on the services requested, and store a log ofthe use of the unique key with an account associated with the user.After verification of the user's identity and the services requested,the secure management entity may transmit validation data to the localcomputing device such that the local computing device may complete thetransaction with the user. Various systems and methods for generating aunique key without a network connection are described in U.S. Pat. No.8,893,238, which is incorporated herein by reference in its entirety.

In short, the confirmation enables a user to access any of a pluralityof services by presenting a mobile device comprising the unique key to alocal computing device. Consequently, in various embodiments, the mobiledevice need not be in communication with the secure management entityduring use of the unique key. The configuration enabling the user toaccess any of the plurality of services may be secure, at least in partdue to the lack of required network connection when creating and/orusing the unique key, and because the secure management entity itselfmay be secure. Thus, the configuration may provide increased securityagainst fraudulent behavior. Moreover, the mobile device may beconfigured to encrypt at least a portion of the data included in theunique key (e.g., using a public/private key encryption algorithm) toprovide further security against fraud. In such embodiments, the securemanagement entity may be configured to decrypt the data included in theunique key.

Moreover, as added security against fraud, the mobile device may beconfigured to request user identification data (e.g., entry of apersonal identification number (PIN), a biometric scan, and/or the like)prior to generation of the unique key and/or retrieval of the unique keyfrom memory. Accordingly, the mobile device may be configured to preventgeneration and/or retrieval of a unique key without first verifying theidentity of the user of the mobile device. In various embodiments, theunique key itself may comprise at least a portion of the useridentification data such that the identity of the user may be verifiedby the secure management entity. However, in various embodiments, theuser identification data may be verified locally on the mobile device(e.g., with reference to locally stored identity verification datastored on the mobile device) and the mobile device may then generate aunique key comprising other identifying data that may be verified by thesecure management entity. For example, upon verifying the user'sidentity locally at the mobile device, the mobile device may generate aunique key comprising data identifying the mobile device (e.g., byincluding a software identifier in the unique key).

Moreover, various embodiments enable the tracking and/or management ofuses of mobile device enabled services and/or promotions. For example, auser may utilize a mobile device to scan a published tag which itself isassociated with a particular promotion. Upon receipt of data associatedwith a scanned tag, the mobile device may transmit data identifying thescanned tag together with data identifying the mobile device to thesecure management entity, which may generate and transmit a unique,device specific key to the mobile device. In various embodiments, thisunique, device specific key may be stored locally on the mobile deviceand presented to a local computing device during a transaction to obtaina mobile device enable service and/or promotion; however, in variousembodiments the mobile device may be configured to generate anadditional key without a network connection, wherein the additional keyincorporates data identifying the unique key received from securemanagement entity as well as additional data (e.g., deviceidentification data). As discussed above, the secure management entitymay anticipate at least a portion of the data included in the generatedadditional key, despite the fact that the mobile device generated thekey without a line of communication with the secure management entity.Thus, when the user presents the additional key to a local computingdevice, the local computing device may transmit the additional key tothe secure management entity, which may verify and transmit verificationdata to the local computing device to complete the transaction.

Moreover, in various embodiments, entity tag generation entity may beconfigured to receive a request to generate a published tag,call-to-action, promotion, ticket, coupon, code and/or the like(collectively referred to herein as a “published tag” for brevity) by abusiness or other entity. The tag generation entity may be a part of thesecure management entity, or it may be a separate entity. In variousembodiments, a published tag may be redeemed by a user in exchange foran item and/or service, a discount on a purchase, access to a venue ormode of transportation, access to a web page, validation of a purchase,and/or the like (collectively referred to herein as “services” forbrevity). In various embodiments, a published tag may comprise dataindicative of various aspects of the published tag and the associatedservice, such as a discount type, an admission ticket type, a maximumnumber of uses by a particular consumer, an expiration date, and/or thelike. As non-limiting examples, the tag generation entity may generatean image (e.g., a picture, a barcode, a Quick Response code, and/or thelike with or without a watermark), a sound, an NFC data signalbroadcast, an RFID signal broadcast, a biometric code, athree-dimensional image, a holographic image, a three-dimensionalfigure, a hologram, and/or publishable and/or broadcastable data to beassociated with the published tag. In various embodiments, thepublishable and/or broadcastable data may be associated with existingimages, figures, sounds, and/or the like, such that a mobile devicescanning or otherwise capturing a representation of an existing image,figure, sound, and/or the like (e.g., an existing painting or sculpture)may be interpreted by the mobile device as capturing a published tag.

The published tag may be distributed to consumers such that theconsumers may access the published tag. In various embodiments, at leasta portion of the published tag may be scannable by a mobile device(e.g., via an optical scanner, Near Field Communication (NFC) scanner,Radio Frequency Identifier reader, microphone, and/or the like). Inresponse to scanning the published tag, the mobile device may transmitidentifying information to the secure management entity. In response,the secure management entity may generate and transmit a unique keycomprising data indicative of the published tag and data indicative ofthe identity of the mobile device to the mobile device. The consumer maythen present the unique key to a local computing device (e.g., a POSterminal) during a transaction (e.g., a purchase transaction).

In various embodiments, upon presentation of the unique key to the localcomputing device during a transaction, the local computing device (e.g.,a POS terminal) may transmit data indicative of the unique key to thesecure management entity. In various embodiments, the data may comprisedata indicative of the unique key being presented, including theidentity of the mobile device associated with the unique key presented.In various embodiments, at least a portion of the data may be encrypted,such that the underlying information associated with the data may not begleaned directly from the data. For example, the data may facilitate themanagement and/or tracking of the number of times a particular keyassociated with a particular mobile device and/or a particular publishedtag has been utilized, while the actual identity of the user and/or themobile device itself cannot be gleaned from the data. In response, thesecure management entity may determine whether the unique code presentedsatisfies applicable aspects of the published tag and/or the servicesassociated with the published tag (e.g., a maximum number of uses by aparticular consumer). In various embodiments, the determination ofwhether the unique code satisfies applicable aspects of the publishedtag may involve transmitting data indicative of the unique code to athird party system (e.g., a computing entity managing the use of one ormore published tags), which may transmit response data to the securemanagement entity indicative of whether the unique code presentedsatisfies applicable aspects of the published tag and/or the servicesassociated with the published tag. Upon a determination that the uniquekey presented satisfies applicable aspects of the published tag, thesystem may permit access to the requested services by the user (e.g.,applying a promotion to a transaction between the user and thebusiness). In various embodiments, the secure management entity and/or athird party computing entity may store data indicative of thetransaction in a database that may be accessed and utilized to determinewhether applicable aspects of a published tag are satisfied, todetermine whether applicable requirements for later warranty claims aresatisfied (e.g., whether the user requests warranty coverage for aproduct purchased during a transaction utilizing a unique key within anapplicable time period after the occurrence of the transaction), todetermine the number of users who utilize the published tag, and/or thelike.

Exemplary Apparatuses, Methods, Systems, Computer Program Products, &Computing Entities

Embodiments of the present invention may be implemented in various ways,including as computer program products. A computer program product mayinclude a non-transitory computer-readable storage medium storingapplications, programs, program modules, scripts, source code, programcode, object code, byte code, compiled code, interpreted code, machinecode, executable instructions, and/or the like (also referred to hereinas executable instructions, instructions for execution, program code,and/or similar terms used herein interchangeably). Such non-transitorycomputer-readable storage media include all computer-readable media(including volatile and non-volatile media).

In one embodiment, a non-volatile computer-readable storage medium mayinclude a floppy disk, flexible disk, hard disk, solid-state storage(SSS) (e.g., a solid state drive (SSD), solid state card (SSC), solidstate module (SSM)), enterprise flash drive, magnetic tape, or any othernon-transitory magnetic medium, and/or the like. A non-volatilecomputer-readable storage medium may also include a punch card, papertape, optical mark sheet (or any other physical medium with patterns ofholes or other optically recognizable indicia), compact disc read onlymemory (CD-ROM), compact disc compact disc-rewritable (CD-RW), digitalversatile disc (DVD), Blu-ray disc (BD), any other non-transitoryoptical medium, and/or the like. Such a non-volatile computer-readablestorage medium may also include read-only memory (ROM), programmableread-only memory (PROM), erasable programmable read-only memory (EPROM),electrically erasable programmable read-only memory (EEPROM), flashmemory (e.g., Serial, NAND, NOR, and/or the like), multimedia memorycards (MMC), secure digital (SD) memory cards, SmartMedia cards,CompactFlash (CF) cards, Memory Sticks, and/or the like. Further, anon-volatile computer-readable storage medium may also includeconductive-bridging random access memory (CBRAM), phase-change randomaccess memory (PRAM), ferroelectric random-access memory (FeRAM),non-volatile random-access memory (NVRAM), magnetoresistiverandom-access memory (MRAM), resistive random-access memory (RRAM),Silicon-Oxide-Nitride-Oxide-Silicon memory (SONOS), floating junctiongate random access memory (FJG RAM), Millipede memory, racetrack memory,and/or the like.

In one embodiment, a volatile computer-readable storage medium mayinclude random access memory (RAM), dynamic random access memory (DRAM),static random access memory (SRAM), fast page mode dynamic random accessmemory (FPM DRAM), extended data-out dynamic random access memory (EDODRAM), synchronous dynamic random access memory (SDRAM), double datarate synchronous dynamic random access memory (DDR SDRAM), double datarate type two synchronous dynamic random access memory (DDR2 SDRAM),double data rate type three synchronous dynamic random access memory(DDR3 SDRAM), Rambus dynamic random access memory (RDRAM), TwinTransistor RAM (TTRAM), Thyristor RAM (T-RAM), Zero-capacitor (Z-RAM),Rambus in-line memory module (RIMM), dual in-line memory module (DIMM),single in-line memory module (SIMM), video random access memory VRAM,cache memory (including various levels), flash memory, register memory,and/or the like. It will be appreciated that where embodiments aredescribed to use a computer-readable storage medium, other types ofcomputer-readable storage media may be substituted for or used inaddition to the computer-readable storage media described above.

As should be appreciated, various embodiments of the present inventionmay also be implemented as methods, apparatus, systems, computingdevices, computing entities, and/or the like. As such, embodiments ofthe present invention may take the form of an apparatus, system,computing device, computing entity, and/or the like executinginstructions stored on a computer-readable storage medium to performcertain steps or operations. However, embodiments of the presentinvention may also take the form of an entirely hardware embodimentperforming certain steps or operations.

Various embodiments are described below with reference to block diagramsand flowchart illustrations of apparatuses, methods, systems, andcomputer program products. It should be understood that each block ofany of the block diagrams and flowchart illustrations, respectively, maybe implemented in part by computer program instructions, e.g., aslogical steps or operations executing on a processor in a computingsystem. These computer program instructions may be loaded onto acomputer, such as a special purpose computer or other programmable dataprocessing apparatus to produce a specifically-configured machine, suchthat the instructions which execute on the computer or otherprogrammable data processing apparatus implement the functions specifiedin the flowchart block or blocks.

These computer program instructions may also be stored in acomputer-readable memory that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablememory produce an article of manufacture including computer-readableinstructions for implementing the functionality specified in theflowchart block or blocks. The computer program instructions may also beloaded onto a computer or other programmable data processing apparatusto cause a series of operational steps to be performed on the computeror other programmable apparatus to produce a computer-implementedprocess such that the instructions that execute on the computer or otherprogrammable apparatus provide operations for implementing the functionsspecified in the flowchart block or blocks.

Accordingly, blocks of the block diagrams and flowchart illustrationssupport various combinations for performing the specified functions,combinations of operations for performing the specified functions andprogram instructions for performing the specified functions. It shouldalso be understood that each block of the block diagrams and flowchartillustrations, and combinations of blocks in the block diagrams andflowchart illustrations, could be implemented by special purposehardware-based computer systems that perform the specified functions oroperations, or combinations of special purpose hardware and computerinstructions.

Exemplary Architecture of the System

FIG. 1 is a block diagram of a system 20 that can be used in conjunctionwith various embodiments of the present invention. In at least theillustrated embodiment, the system 20 may include one or more centralcomputing devices 110, one or more distributed and/or user computingdevices 120, and one or more distributed handheld or mobile devices 300,all configured in communication with a central server 200 via one ormore networks 130. While FIG. 1 illustrates the various system entitiesas separate, standalone entities, the various embodiments are notlimited to this particular architecture.

According to various embodiments of the present invention, the one ormore networks 130 may be capable of supporting communication inaccordance with any one or more of a number of second-generation (2G),2.5G, third-generation (3G), and/or fourth-generation (4G) mobilecommunication protocols, or the like. More particularly, the one or morenetworks 130 may be capable of supporting communication in accordancewith 2G wireless communication protocols IS-136 (TDMA), GSM, and IS-95(CDMA). Also, for example, the one or more networks 130 may be capableof supporting communication in accordance with 2.5G wirelesscommunication protocols GPRS, Enhanced Data GSM Environment (EDGE), orthe like. In addition, for example, the one or more networks 130 may becapable of supporting communication in accordance with 3G wirelesscommunication protocols such as Universal Mobile Telephone System (UMTS)network employing Wideband Code Division Multiple Access (WCDMA) radioaccess technology. Some narrow-band AMPS (NAMPS), as well as TACS,network(s) may also benefit from embodiments of the present invention,as should dual or higher mode mobile stations (e.g., digital/analog orTDMA/CDMA/analog phones). As yet another example, each of the componentsof the system 5 may be configured to communicate with one another inaccordance with techniques such as, for example, radio frequency (RF),Bluetooth™, infrared (IrDA), or any of a number of different wired orwireless networking techniques, including a wired or wireless PersonalArea Network (“PAN”), Local Area Network (“LAN”), Metropolitan AreaNetwork (“MAN”), Wide Area Network (“WAN”), or the like.

Although the device(s) 110-300 are illustrated in FIG. 1 ascommunicating with one another over the same network 130, these devicesmay likewise communicate over multiple, separate networks.

According to one embodiment, in addition to receiving data from theserver 200, the distributed devices 110, 120, and/or 300 may be furtherconfigured to collect and transmit data on their own. In variousembodiments, the devices 110, 120, and/or 300 may be capable ofreceiving data via one or more input units or devices, such as a keypad,touchpad, barcode scanner, radio frequency identification (RFID) reader,interface card (e.g., modem, etc.) or receiver. The devices 110, 120,and/or 300 may further be capable of storing data to one or morevolatile or non-volatile memory modules, and outputting the data via oneor more output units or devices, for example, by displaying data to theuser operating the device, or by transmitting data, for example over theone or more networks 130.

Example Secure Management Entity

In various embodiments, the secure management entity 3 comprises aserver 200 which includes various systems for performing one or morefunctions in accordance with various embodiments of the presentinvention, including those more particularly shown and described herein.It should be understood, however, that the server 200 might include avariety of alternative devices for performing one or more likefunctions, without departing from the spirit and scope of the presentinvention. For example, at least a portion of the server 200, in certainembodiments, may be located on the distributed device(s) 110, 120,and/or the handheld or mobile device(s) 300, as may be desirable forparticular applications. As will be described in further detail below,in at least one embodiment, the handheld or mobile device(s) 300 maycontain one or more mobile applications 330 which may be configured soas to provide a user interface for communication with the server 200 ofthe secure management entity 3, all as will be likewise described infurther detail below.

FIG. 2A is a schematic diagram of the server 200 associated with thesecure management entity 3 according to various embodiments. The server200 includes a processor 230 that communicates with other elementswithin the server via a system interface or bus 235. Also included inthe server 200 is a display/input device 250 for receiving anddisplaying data. This display/input device 250 may be, for example, akeyboard or pointing device that is used in combination with a monitor.The server 200 further includes memory 220, which preferably includesboth read only memory (ROM) 226 and random access memory (RAM) 222. Theserver's ROM 226 is used to store a basic input/output system 224(BIOS), containing the basic routines that help to transfer informationbetween elements within the server 200. Various ROM and RAMconfigurations have been previously described herein.

In addition, the server 200 includes at least one storage device orprogram storage 210, such as a hard disk drive, a floppy disk drive, aCD Rom drive, or optical disk drive, for storing information on variouscomputer-readable media, such as a hard disk, a removable magnetic disk,or a CD-ROM disk. As will be appreciated by one of ordinary skill in theart, each of these storage devices 210 are connected to the system bus235 by an appropriate interface. The storage devices 210 and theirassociated computer-readable media provide nonvolatile storage for apersonal computer. As will be appreciated by one of ordinary skill inthe art, the computer-readable media described above could be replacedby any other type of computer-readable media known in the art. Suchmedia include, for example, magnetic cassettes, flash memory cards,digital video disks, and Bernoulli cartridges.

Although not shown, according to an embodiment, the storage device 210and/or memory of the server 200 may further provide the functions of adata storage device, which may store historical and/or current deliverydata and delivery conditions that may be accessed by the server 200. Inthis regard, the storage device 210 may comprise one or more databases.The term “database” refers to a structured collection of records or datathat is stored in a computer system, such as via a relational database,hierarchical database, or network database and as such, should not beconstrued in a limiting fashion.

A number of program modules (e.g., modules 400-900) comprising, forexample, one or more computer-readable program code portions executableby the processor 230, may be stored by the various storage devices 210and within RAM 222. Such program modules may also include an operatingsystem 280. In these and other embodiments, the various modules 400,500, 600, 700 control certain aspects of the operation of the server 200with the assistance of the processor 230 and operating system 280. Instill other embodiments, it should be understood that one or moreadditional and/or alternative modules may also be provided, withoutdeparting from the scope and nature of the present invention.

For example, the processor may be configured to execute a module 400 forcontrolling the activation of the software application in the mobiledevice, a module 500 for decoding the data contained in a unique keywhich was previously created in the mobile device using the softwareapplication, and a module 600 for authorizing or preventing access tothe services by the user 1 according to the decoded data.

In the embodiment described here, the central server also comprises apublic key and private key cryptography module 700, a module 800 forcontrolling the installation of the software application in the mobiledevice, a module for generating the software application identifier (notillustrated) and a module 900 for limiting the validity period of theunique key which was created in the mobile device.

In various embodiments, the program modules 400, 500, 600, 700, 800, 900are executed by the server 200 and are configured to generate one ormore graphical user interfaces, reports, instructions, and/ornotifications/alerts, all accessible and/or transmittable to varioususers of the system 20. In certain embodiments, the user interfaces,reports, instructions, and/or notifications/alerts may be accessible viaone or more networks 130, which may include the Internet or otherfeasible communications network, as previously discussed.

In various embodiments, it should also be understood that one or more ofthe modules 400, 500, 600, 700, 800, 900 may be alternatively and/oradditionally (e.g., in duplicate) stored locally on one or more of thedevices 110, 120, and/or 300 and may be executed by one or moreprocessors of the same. According to various embodiments, the modules400, 500, 600, 700, 800, 900 may send data to, receive data from, andutilize data contained in one or more databases (see FIG. 4), which maybe comprised of one or more separate, linked and/or networked databases.

Also located within the server 200 is a network interface 260 forinterfacing and communicating with other elements of the one or morenetworks 130. It will be appreciated by one of ordinary skill in the artthat one or more of the server 200 components may be locatedgeographically remotely from other server components. Furthermore, oneor more of the server 200 components may be combined, and/or additionalcomponents performing functions described herein may also be included inthe server.

While the foregoing describes a single processor 230, as one of ordinaryskill in the art will recognize, the server 200 may comprise multipleprocessors operating in conjunction with one another to perform thefunctionality described herein. In addition to the memory 220, theprocessor 230 can also be connected to at least one interface or othermeans for displaying, transmitting and/or receiving data, content or thelike. In this regard, the interface(s) can include at least onecommunication interface or other means for transmitting and/or receivingdata, content or the like, as well as at least one user interface thatcan include a display and/or a user input interface, as will bedescribed in further detail below. The user input interface, in turn,can comprise any of a number of devices allowing the entity to receivedata from a user, such as a keypad, a touch display, a joystick or otherinput device.

Still further, while reference is made to the “server” 200, as one ofordinary skill in the art will recognize, embodiments of the presentinvention are not limited to traditionally defined server architectures.Still further, the system of embodiments of the present invention is notlimited to a single server, or similar network entity or mainframecomputer system. Other similar architectures including one or morenetwork entities operating in conjunction with one another to providethe functionality described herein may likewise be used withoutdeparting from the spirit and scope of embodiments of the presentinvention. For example, a mesh network of two or more personal computers(PCs), similar electronic devices, or handheld portable devices,collaborating with one another to provide the functionality describedherein in association with the server 200 may likewise be used withoutdeparting from the spirit and scope of embodiments of the presentinvention.

According to various embodiments, many individual steps of a process mayor may not be carried out utilizing the computer systems and/or serversdescribed herein, and the degree of computer implementation may vary, asmay be desirable and/or beneficial for one or more particularapplications.

Distributed Handheld (or Mobile) Device(s) 300

FIG. 2B provides an illustrative schematic representative of a mobiledevice 300 that can be used in conjunction with various embodiments ofthe present invention. Mobile devices 300 can be operated by variousparties. As shown in FIG. 2B, a mobile device 300 may include an antenna312, a transmitter 304 (e.g., radio), a receiver 306 (e.g., radio), anda processing element 308 that provides signals to and receives signalsfrom the transmitter 304 and receiver 306, respectively.

The signals provided to and received from the transmitter 304 and thereceiver 306, respectively, may include signaling data in accordancewith an air interface standard of applicable wireless systems tocommunicate with various entities, such as the server 200 of the securemanagement entity 3, the distributed devices 110, 120, and/or the like.In this regard, the mobile device 300 may be capable of operating withone or more air interface standards, communication protocols, modulationtypes, and access types. More particularly, the mobile device 300 mayoperate in accordance with any of a number of wireless communicationstandards and protocols. In a particular embodiment, the mobile device300 may operate in accordance with multiple wireless communicationstandards and protocols, such as GPRS, UMTS, CDMA2000, 1×RTT, WCDMA,TD-SCDMA, LTE, E-UTRAN, EVDO, HSPA, HSDPA, Wi-Fi, WiMAX, UWB, IRprotocols, Bluetooth protocols, USB protocols, and/or any other wirelessprotocol.

Via these communication standards and protocols, the mobile device 300may according to various embodiments communicate with various otherentities using concepts such as Unstructured Supplementary Service data(USSD), Short Message Service (SMS), Multimedia Messaging Service (MMS),Dual-Tone Multi-Frequency Signaling (DTMF), and/or Subscriber IdentityModule Dialer (SIM dialer). The mobile device 300 can also downloadchanges, add-ons, and updates, for instance, to its firmware, software(e.g., including executable instructions, applications, programmodules), and operating system.

According to one embodiment, the mobile device 300 may include alocation determining device and/or functionality. For example, themobile device 300 may include a GPS module adapted to acquire, forexample, latitude, longitude, altitude, geocode, course, and/or speeddata. In one embodiment, the GPS module acquires data, sometimes knownas ephemeris data, by identifying the number of satellites in view andthe relative positions of those satellites.

The mobile device 300 may also comprise a user interface (that caninclude a display 316 coupled to a processing element 308) and/or a userinput interface (coupled to a processing element 308). The user inputinterface can comprise any of a number of devices allowing the mobiledevice 300 to receive data, such as a keypad 318 (hard or soft), a touchdisplay, voice or motion interfaces, or other input device. Inembodiments including a keypad 318, the keypad can include (or causedisplay of) the conventional numeric (0-9) and related keys (#, *), andother keys used for operating the mobile device 300 and may include afull set of alphabetic keys or set of keys that may be activated toprovide a full set of alphanumeric keys. In addition to providing input,the user input interface can be used, for example, to activate ordeactivate certain functions, such as screen savers and/or sleep modes.

In various embodiments, the mobile device 300 may also comprise one ormore biometric scanning devices configured to receiving biometric userinput, such as a fingerprint scanner, voice recognition device, retinalscanner, facial recognition device, and/or the like. In variousembodiments, the one or more biometric scanning devices may be linked(either through hardware enabled links, firmware enabled links, and/orsoftware enabled links) to an identity verification data store withinthe mobile device 300. In various embodiments, the identity verificationdata store may be inaccessible via a network connection with the mobiledevice 300, and accordingly may provide secure storage of identityverification data for the mobile device 300. In various embodiments, themobile device 300 may be configured to provide at least a portion of theidentity verification data from the identity verification data store toone or more processors, for example, in response to a request foridentity verification and a signal received from the one or morebiometric scanning devices associated with the mobile device 300.Accordingly, the mobile device 300 may be configured to provide identityverification data (e.g., passwords, passcodes, PINs, and/or the like) inresponse to a generated inquiry for verification of a user identity uponreceipt of accepted input by one or more biometric scanning devices.

The mobile device 300 can also include volatile storage or memory 322and/or non-volatile storage or memory 324, which can be embedded and/ormay be removable. For example, the non-volatile memory may be ROM, PROM,EPROM, EEPROM, flash memory, MMCs, SD memory cards, Memory Sticks,CBRAM, PRAM, FeRAM, RRAM, SONOS, racetrack memory, and/or the like. Thevolatile memory may be RAM, DRAM, SRAM, FPM DRAM, EDO DRAM, SDRAM, DDRSDRAM, DDR2 SDRAM, DDR3 SDRAM, RDRAM, RIMM, DIMM, SIMM, VRAM, cachememory, register memory, and/or the like. The volatile and non-volatilestorage or memory can store databases, database instances, databasemapping systems, data, applications, programs, program modules, scripts,source code, object code, byte code, compiled code, interpreted code,machine code, executable instructions, and/or the like to implement thefunctions of the mobile device 300.

The mobile device 300 may also include one or more of a scanner 326 anda mobile application 330. The scanner 326 may be configured according tovarious embodiments as an additional and/or alternative data collectionfeature, whereby one or more items may be read, stored, and/ortransmitted by the mobile device 300 via the scanner. For example, thescanner 326 may comprise a camera, a Near Field Communication (NFC)receiver, a Radio Frequency Identification (RFID) reader, a microphone,and/or the like. The mobile application 330 may further provide afeature via which various tasks may be performed with the mobile device300. Various configurations may be provided, as may be desirable for oneor more users of the mobile device 300 and the system 20 as a whole.

Local Computing Entities

In various embodiments, a local computing entity (e.g., a localcomputing system, a user terminal, a Point-of-Sale (POS) terminal, aturnstile, a web-based ecommerce server, another mobile device, and/orthe like) may have one or more features and/or configurations similar tothat of the mobile devices 300 and/or central server 200. Accordingly, alocal computing entity may comprise and/or be in communication with oneor more memory storage areas and/or one or more processors are describedherein. Moreover, in various embodiments, the local computing entity maybe in communication with the secure management entity and/or othercomputing entities as discussed in detail herein such that the localcomputing entity may transmit and/or receive data (e.g., data indicativeof a received unique code) to one or more computing entities.

Example System Operation

As discussed herein, various embodiments provide systems and methods forfacilitating transactions utilizing a mobile device 300 by generatingone or more unique keys by a mobile device 300 that may be verified by asecure management entity 3 (e.g., comprising a central server 200). Asnoted, the secure management entity 3 may anticipate at least a portionof the data included in the unique key in order to provide such identityverification features, and accordingly the mobile device 300 may belinked with the secure management entity 3 such that the securemanagement entity 3 may anticipate at least a portion of the key.Accordingly, a user of the systems and methods may register one or moremobile devices 300 with the secure management entity 3 to thereby linkthe mobile devices 300 and the secure management entity 3. As discussedherein, the mobile device 300 may be configured to generate the uniquekey based on data previously stored in the mobile device 300 and/or inassociation with a user account (e.g., based on membership in acorporate loyalty program, based on data indicative of a previous ticketpurchase, and/or the like) and/or the mobile device 300 may beconfigured to generate the unique key in response to a trigger event(e.g., in response to scanning a published tag). The unique keygenerated by the mobile device 300 may be utilized to access one or moreof a plurality of services (e.g., access to a loyalty program, access toa discount on a purchase, access to medical records, requesting that agood and/or service be delivered and/or performed for the user, accessto a venue and/or facility, access to transportation services, and/orthe like). For example, the unique key may comprise data indicative of aloyalty program joined by the user, and accordingly may be utilized toobtain benefits associated with the loyalty program membership. As yetanother alternative, the unique key may comprise data indicative of acoupon code or other service generated and/or provided for the user inresponse to scanning a published tag (e.g., a QR code disseminated tothe public) indicative of the availability of the coupon code.

Moreover, in various embodiments, at least a portion of the dataincluding in a unique key may be generated by the secure managemententity 3 and transmitted to the mobile device 300. In such embodiments,the mobile device 300 may be configured to store data indicative of theunique key in memory, such that the unique key may be retrieved for use.

Referring to FIG. 3, a user 1 may have one or more mobile device 300,which the user 1 may utilize to access one or more of a plurality ofservices. For example, the services that may be accessed by the user maycomprise the offering of discount coupons on a mobile device, thepossibility of purchasing and using tickets (e.g., to an event) from amobile device, the extension of loyalty programs to a mobile device, oreven payment by a mobile device or mobile payment.

In various embodiments, the mobile device 300 may be configured toundertake a plurality of steps to enable the user 1 to access any of theprovided services. For example, FIG. 4 is a flowchart showing an exampleprocess for enabling a user to access one or more of a plurality ofservices. As shown in FIG. 4, to enable the user 1 to access one or moreof the services, step E1 for creation of a user account may beimplemented. In various embodiments, the user account contains useridentification data, which may comprise a user name, a password or othersecurity code, biometric data (e.g., fingerprint data, eye scan data,voice recognition data, facial recognition data, and/or the like),residential address, contact information (e.g., email address, telephonenumber, and/or the like), program membership data (e.g., corporateloyalty card data, subscriptions, and/or the like), mobile deviceidentifier (e.g., a serial number, user-provided “nickname” for a mobiledevice, IP address of the mobile device, and/or the like), and/or thelike. Moreover, the user account may comprise data indicative of one ormore digital keys shared between the secure management entity 3 and theone or more mobile devices 300, and/or the like. In a particularembodiment, the user account is created before any use of the softwareapplication by the user 1. In various embodiments, the user account maybe generated and stored in association with the secure management entity3 (e.g., in one or more databases) in response to user input received bythe secure management entity 3. For example, the secure managemententity 3 may be configured to generate and provide anInternet-accessible graphical user interface comprising one or morefillable form fields having associated prompts for user input. Forexample, the graphical user interface may comprise one or more formfields corresponding to each of the types of user identification dataincluded in the user account. In various embodiments, the graphical userinterface may be accessible via a web browser device on the mobiledevice 300, through a web browser on another computing entity (e.g.,distributed computing entities 110, 120), through a specificallyconfigured computer program (e.g., operable on a mobile device 300and/or another computing entity), and/or the like.

As discussed herein, service providers may additionally access thesecure management entity 3 and/or a third party computing system, forexample via a graphical user interface displayed via one or morecomputing devices in order to generate and/or manage one or moreservices to be offered by the service providers. The interface presentedto service providers may be different from that provided to users. Inpractice, the service providers may access the secure management entity3 and/or a third party computing system for purposes other than those ofthe users. Thus, for example, the providers may log onto and/orotherwise connect with the secure management entity 3 and/or a thirdparty computing system in order to request the creation of discountcoupons for certain users, the updating of user loyalty programs, or thecreation of tickets previously purchased by the users. Although thegraphical user interface provided to service providers may be differentfrom that provided to end users, the graphical user interface providedto service providers may similarly comprise one or more fillable formfields configured to accept user input. For example, a graphical userinterface provided to a service provider configured to receive userinput indicative of a promotion to be published by the service providermay comprise data indicative of a discount to be applied, a number ofpossible users who may access the discount, expiration dates of thediscount, a published tag for which the discount is associated, and/orthe like.

Although described herein as “service providers” this term should not betaken as limited to entities which have businesses derived based in parton providing services to consumers. Instead, “service provider” mayrefer to any of a variety of entities, including merchants of goodsand/or services, manufacturers, restaurants, carriers, transportationentities, hospitals, individuals, representatives of individuals,representatives of other entities, political entities, entertainers,leasing entities, leasing agents, real estate agents, digital contentproviders, security entities, admission entities, and/or any otherindividual, entities, or collection of individuals and/or entities. Asnon-limiting examples, a provided service may comprise permitting entryof a user into a facility, providing the user with a discount voucher,sending or otherwise providing a product to user, providing digitalcontent to a user, and/or the like.

Referring again to FIG. 4, during the illustrated installation step E2,a software application is installed in the mobile device 300. This“installation” may be either a preinstallation, that is to say apre-embedding in the factory for example, or an installation phaseconducted after the mobile device 300 has been placed on the market. Inthe particular embodiment described here, the installation isimplemented by the user 1 of the mobile device 300. In variousembodiments, the software application to be installed on the mobiledevice 300 is transmitted from the secure management entity 3 to themobile device 300. Thus, the user 1 wanting to install the softwareapplication in the mobile device 300 can, for example, log onto orotherwise connect with the secure management entity 3 and download thesoftware application. As yet another example, the user 1 may direct themobile device 300 to visit a mobile application store (e.g., the AppleApp store, the Google Play Store, the Blackberry World store, and/or thelike) in order to download and install the software application.

In another example, the user 1, logged onto the secure management entity3, can initiate on his mobile device 300 the execution of a softwareapplication installation program which will be run in the securemanagement entity 3.

In yet another example, the secure management entity 3 may send themobile device 300, at the request of the user 1 or not, the softwareapplication or an object enabling the software application to beinstalled. This sending of the request can be done, for example, in theform of a text, multimedia or other type message, addressed by thesecure management entity 3 to the mobile device 300.

Generally, the installation process, which may be performed bydownloading or by any other appropriate technique, is not necessarilythe responsibility of the secure management entity 3. Also, inembodiments in which the secure management entity 3 participates in theinstallation process, other entities (such as, for example, the mobiledevice 300 in the example described above) may possibly also participatein the installation.

Whatever the installation mode, data interchanges for the installationcan be performed via a wireless technology (e.g., short range wirelesstechnologies), such as, for example, via the “Bluetooth” (registeredtrademark) wireless technology, via long-range wireless technology, viaNFC technology, and/or the like.

As a variant, the installation may be a preinstallation implementedduring the assembly and/or the manufacture of the mobile device 300,that is to say that the software application is already installed whenthe mobile device 300 is placed on the market. In such an embodiment,the step E1 for creation of the user account may follow the step E2 forinstallation (preinstallation) of the software application (the order ofthe steps E1 and E2 illustrated in FIG. 4 is reversed).

As FIG. 4 shows, once the software application has been installed in themobile device and the user 1 wants to use it, the next step may compriseactivating the software application. To this end, a step E3 foractivation of the software application installed in the mobile device isimplemented. This step E3 consists in associating an identifier of thesoftware application with the user account. This identifier may becreated either before, or during the implementation of this activationstep E3. Thus, prior to this activation step E3, or during said step, astep for generation of the software application identifier is performed.

The software application identifier may comprise, for example, one ormore symbols and/or alphanumeric characters, a series of alphanumericcharacters (that is to say, a predetermined number of letters and/ornumerals and/or other symbols or characters), an image, a collection ofdata, and/or the like. The software application identifier may be uniqueto the specific software application instance installed on and/orotherwise associated with a particular mobile device, a particular useraccount, and/or the like.

In the particular embodiment described here, the software applicationidentifier is generated by the secure management entity 3. This providesadded security against fraud since the software application and itsidentifier originate from the secure management entity 3. Thus, when thesecure management entity 3 supplies the software application to themanufacturers and/or assemblers of mobile devices 300 and/or to theusers 1, it can, for example (but not necessarily), at the same timesupply the identifier of the software application.

In a particular embodiment, the software application identifier isgenerated by the software application. For example, the step forgeneration of the software application identifier may be performed inthe mobile device 300. The software application identifier may besupplied to the user 1 in various ways, for example, it may be displayedon the screen of the mobile device 300 by the software application, itmay be sent to the user 1 by email or by postal mail.

The user 1 may be informed of the software application identifier, forexample, during the first use of the application on the mobile device300. Thus, according to a particular exemplary embodiment, the softwareapplication identifier is displayed on the screen of the mobile device300 and the user 1 can then log onto the secure management entity 3 andenter or otherwise associate the software application identifier into anassociated user account, for example, by entry on a keyboard or anyother user input device. This entry can be performed, for example, bythe mobile device 300 itself or via a personal computing entity, fixedor not, that is able to set up a connection with the secure managemententity 3. In various embodiments, the software identifier may beautomatically associated with both the mobile device 300 and the useraccount.

Once the software application has been activated, it can be used by theuser 1 in order to access the services. Thus, when the user 1 wants toaccess a service, the user may launch or otherwise initiate the use ofthe software application in the mobile device. This leads to theimplementation of a step E5 for creation of a unique key 7 (see anexample unique key illustrated in FIG. 3) in the mobile device 300.

In the embodiment described here, prior to the implementation of thestep E5 for creation of the unique key 7, a step E4 comprising, for theuser 1, in provide user identification data, is implemented. Forexample, the user 1 may provide a user personal identification code,which comprises a series of alphanumeric characters. As a non-limitingexample, this personal code contains four numerals. As additionalnon-limiting examples, the user 1 may provide identification data viaone or more biometric devices (e.g., a fingerprint scanner) configuredto determine whether the user's fingerprint indicates that an authorizeduser is attempting to access the software application. Correspondingdata utilized to validate the entry of the user identification data maybe stored (e.g., in encrypted or unencrypted form) in association withthe user account and/or locally on the mobile device 300. The user 1 maybe prompted for this identification data by the software applicationwhen the software application is launched and/or initiated in the mobiledevice 300. This makes the method according to the invention all themore safe.

Upon entry of the user identification data, a unique key 7 may begenerated by the mobile device 300. In various embodiments, the uniquekey 7 may itself comprise data indicative of one or more services to beaccessed, and in such embodiments, the mobile device 300 may firstreceive user input indicative of one or more services to be accessedprior to generating the unique key 7. However, in certain embodiments,upon entry of the user identification data, the mobile device 300 maygenerate a unique key 7 which does not comprise specific data indicativeof one or more services to be accessed by the user. As discussed ingreater detail herein, the unique key 7 created during the step E5 forcreation of the unique key comprises at least the software applicationidentifier. In the particular embodiment described here, the unique key7 created also contains the user identification data provided by theuser 1. This data is contained in the unique key 7 in encrypted orunencrypted form, depending on the degree of security sought. In variousembodiments, the unique key 7 may comprise sufficient data to identify auser account associated with the user 1 in order to determine whetherone or more services are available to the user 1. For example, inembodiments in which the unique key 7 does not itself indicate one ormore services that may be accessed by the user 1, the unique key 7 maycomprise sufficient data to identify a user account associated with theuser 1, and another computing entity (e.g., a local computing device,the secure management entity 3, and/or the like) may be configured todetermine whether one or more services available through the accessedlocal computing device are available to the user 1.

It will be noted that in various embodiments, the unique key 7 isgenerated (e.g., as a bar code, QR code, NFC data signal, RFID signal,string of alphanumeric characters, and/or the like), whether the user'sidentification data is correct or incorrect. Similarly, the decoding ofthe unique key (e.g., by the secure management entity 3) will also takeplace (step E6 described below). However, the authorization to accessthe services will not be delivered (steps E7, E8 and E9 described below)upon a determination that the unique key 7 is not indicative of properuser identification data. For example, upon entry of incorrect useridentification data, the mobile device 300 may generate an unauthorizedand/or otherwise inoperable unique key 7 which does not permitauthorization to access one or more services. The creation of the uniquekey 7 may add even more security against fraud, by notably limitingfraud by reverse engineering on the unique key 7 in the mobile device300.

Once the unique key 7 has been created, the user 1 can use it to accessthe services for which the user 1 is authorized. In order to know theservices that the user 1 is authorized to access, the data contained inthe unique key 7 that is created may be decoded.

In particular, the unique key 7 is captured, read, and/or otherwisereceived by an appropriate reader 6 corresponding to a local computingdevice (e.g., in a physical store or virtual merchant site). Then, thedata contained in the unique key 7 can be decoded during a decoding stepE6, by using the secure management entity 3. In various embodiments,after receiving the unique key 7, the reader 6 may transmit dataindicative of the unique key 7 to other computing entities where varioussteps are performed. For example, the reader 6 may transmit the dataindicative of the unique key to a connected local computing device, tothe secure management entity 3, both, and/or the like.

In various embodiments, the unique key 7 is a two-dimensional bar code.However, as additional non-limiting examples, a unique key 7 maycomprise a bar code (one-dimensional and/or two dimensional), aQuick-Response code, a string of alphanumeric characters, a unique soundbite, a photograph, a series of flashes of a lighting device (e.g., aLight Emitting Diode), a data file (e.g., transmitted via one or morewireless communications and/or wired communications), an NFC signal, anRFID signal, and/or the like.

In various embodiments, the reader 6 may be configured to receive theunique key 7. For example, the reader may comprise an optical scanner, aNear-Field Communication receiver, an RFID tag reader, a microphone, abar code scanner, an infrared camera, a light sensor, a keyboard, and/orthe like.

The secure management entity 3 (and/or another computing entity) may beconfigured to decode the unique key 7, and may be configured to checkthe decoded data during a checking step E7. When the decoded data, whichmay comprise the software application identifier and/or the user'spersonal identification data are determined to be correct and tocorrespond to a particular user account, an authorization to access (E8)the service(s) is delivered to the user 1 and/or the local computingdevice.

As indicated herein, the unique key 7 may comprise data indicating oneor more services for which access is requested. For example, the uniquekey 7 may comprise data indicating that the user 1 desires to provide aparticular corporate loyalty card identifier to the local computingdevice, and accordingly the unique key 7 may comprise data indicative ofthe particular corporate loyalty program for which access is requested.As yet another embodiment, the unique key 7 itself may not comprise dataindicative of a particular service requested, but the local computingdevice utilized to scan (e.g., with reader 6) the unique key may appenddata indicative of the service requested when transmitting the data tothe secure management entity 3 for decoding and other analysis. Forexample, when at an ACME Corp. local computing device, personnel forACME Corp. may scan a unique key 7 provided by a mobile device 300, andthe local computing device may append data indicating that the servicerequested is access to an ACME Corp. loyalty program account whentransmitting data indicative of the unique key 7 to the securemanagement entity 3. In such embodiments, the secure management entity 3may determine whether the unique key 7 is associated with a user accountwhich itself is associated with an ACME Corp. corporate loyalty programmembership. In various embodiments, a determination of whether the useraccount is associated with an ACME Corp. corporate loyalty program maybe determined based at least in part on data stored in one or moredatabases (e.g., databases maintained and associated with ACME Corp.and/or a third party).

On the contrary, when the decoded data (in particular the softwareapplication identifier and/or the user's identification data) are notcorrect, the authorization to access the service(s) is not delivered(E9).

The unique key 7 contains at least the software application identifier,preferably in encrypted form to increase the level of security of themethod. In various embodiments, the unique key 7 also contains dataidentifying the user (e.g., at least a portion of the useridentification data provided by the user) in encrypted form. Thus, asillustrated in FIG. 4, the step E5 for creation of the unique keyincludes an encryption step E51, consisting in encrypting the identifierof the software application and the identification data. In a variant inwhich the step E4 consisting in entering user identification data doesnot exist, only the identifier of the software application is encryptedduring the encryption step E51. However, as a variant, it would bepossible not to encrypt the software application identifier.

In the particular exemplary embodiment described in conjunction withFIG. 4, the encryption step E51 is implemented by using a public keyencryption algorithm and the decoding step E6 includes a decryption stepE61 consisting in decrypting the data contained in the unique key 7, byusing a private key associated in a known manner with the public key.However, any of various encryption and decryption algorithms can beemployed (symmetrical cryptography, hashing, digital signature, exchangeof keys, etc.).

In the particular embodiment described here, the unique key 7 created inthe mobile device 300 has a predetermined validity period. As explainedabove, this increases the security of the method according to theinvention. This validity period may, for example, be of the order of afew minutes (e.g., 30 minutes, but this example being in no waylimiting). A longer or shorter period may be provided, notably accordingto the desired level of security.

In an exemplary embodiment, a time stamp is incorporated in the uniquekey 7 created in the mobile device 300, that is to say, informationconcerning the instant at which the unique key 7 was created is insertedinto the unique key 7. The timestamp can be checked by the securemanagement entity 3, for example once the decoding step E6 has beenperformed.

The user 1 may have a number of mobile devices 300 in which the softwareapplication is installed. In the embodiment described, the user accountmay comprise a different application identifier for each mobile device300 belonging to the user 1. As a variant, the software applicationsrespectively associated with the various mobile devices 300 of a sameuser 1 have one and the same software application identifier.

In another embodiment, the software application activation step E3 canbe dispensed with. In this variant, the order of some of the steps ofFIG. 4 may be different: the first step implemented is the step E2 forinstalling the application, followed, if necessary, by the step E4 forentry of the user identification data. Then, the step E5 for creation ofthe unique key 7 and the decoding step E6 are implemented, followed bythe step E1 consisting in creating the user account.

The validity period of a user account created in this way may be limitedto a predetermined value, for better security of use and bettermanagement of the user accounts. It is possible, if necessary, toprovide for the number of services to which a user of such an accountwith limited duration has access to be limited. The creation of such anaccount with limited validity period, called “non-active account”, maybe followed by the step E3 for activation of the software application.In this case, the user account is said to have been activated.

As an example use, when a user 1 wants to use a discount code to make apurchase in a point of sale, once the software application has beeninstalled and activated, the user launches the software application andprovides identification data. A unique key 7 is created on his mobiledevice 300, this unique key 7 containing at least the identifier of thesoftware application and the user's provided identification data, inencrypted or unencrypted form.

At the point of sale, the unique key 7 is read and transmitted to thesecure management entity 3. The secure management entity 3 decodes thedata contained in the unique key 7, checks the services to which theuser 1 is entitled and communicates at least this information to thepoint of sale.

It should be noted that, in the particular embodiment described here,when the user 1 accesses the secure management entity 3 in order tocreate or activate a user account, the user 1 may access, one or morecentral servers 200 between which the various functionalities aredivided (in particular, storage and/or management of the user accounts,decoding of the images, delivery and/or management of the authorizationsto access the services). In the case of a plurality of servers withdivision of the roles, at least some of these servers may be adapted toexchange between them and/or with the other servers of the plurality ofservers, certain information necessary to the execution of at least someof these functionalities. Thus, by virtue of the invention, the user canaccess various services securely and without repeated costs ofconnection to the communication networks.

In various embodiments, the generated unique key 7 may comprise specificdata corresponding to particular services requested by the user 1.Moreover, the mobile device 300 may be configured to update, add, and/orotherwise modify the services available to the user 1 by modifying useraccount data. As discussed herein, the user account data may be modifiedto enable access to one or more services on a permanent basis (e.g.,available until the user takes an affirmative action to disable accessto the services), on a temporary time-dependent basis (e.g., availablefor a predetermined amount of time and/or until the occurrence of apredetermined expiration time), on a temporary event-dependent basis(e.g., available until the happening of a trigger event), and/or thelike.

In various embodiments, access to one or more services may be added to auser's account (e.g., by modifying user account data) in response to oneor more triggering events, such as the mobile device receiving dataindicative of one or more services.

With reference to FIG. 5, which provides a flowchart of an examplemethod for accessing one or more services, the mobile device 300 mayreceive data indicative of one or more services to be associated with auser account. Thus, a mobile computer program application may beinstalled on the mobile device 300, and the mobile device 300 may beassociated with a user account (e.g., by generating a mobile deviceidentifier and associating the mobile device 300 identifier with a useraccount). As indicated herein, the mobile device 300 may comprise one ormore scanners (e.g., a camera, an optical scanner, an NFC reader, anRFID reader, a microphone, and/or the like) configured for receivingdata indicative of a service that may be associated with a user account.In various embodiments, the system for providing access to one or moreservices may be entirely closed loop in nature, such that data may notbe decoded and/or accessed except by components identified as a part ofthe system. Thus, personal identification data, service provider data,and/or the like may not be accessed by entities outside of the closedloop system.

As indicated at Blocks E1001-E1002, the method may begin with thecreation of a user account and the installation of a softwareapplication on the mobile device 300, as described in detail above.Thus, the user account may be created to store data corresponding to theuser, including identification data (e.g., name, residential address,contact information, and/or the like) as well as various servicesassociated with the user account (e.g., various loyalty card programs,transportation tickets, and/or the like).

As indicated by Block E1003, the software application may be launchedand/or otherwise initialized on the mobile device 300 in order tofacilitate one or more additional steps. With reference to Block 1004,the mobile device 300 may be used to scan a published tag via thescanner. For example, the mobile device 300 may be used to scan apublicly available barcode and/or QR code disseminated to the public(e.g., printed on an advertisement), the mobile device 300 may be usedto “listen” to a unique sound (e.g., the sound of a particulartelevision or radio advertisement), the mobile device may be used totake a photograph of a publicly disseminated advertisement, the mobiledevice may be used to receive data broadcast via a wireless broadcasttechnology (e.g., an NFC broadcast) and/or the like. In variousembodiments, the mobile device 300 may be configured to determinewhether the received data (e.g., via the scanner) is associated with aparticular service that may be associated with a user account.Accordingly, in various embodiments, upon receipt of data by thescanner, the mobile device 300 may be configured to launch and/orinitiate the installed software program (e.g., which may be configuredto operate in the background, generally invisible to the user of themobile device 300), which may be configured to determine whether thedata received by the scanner is associated with one or more servicesthat may be associated with the user account. As indicated in FIG. 5,the installed software program may be launched and/or initiated (asindicated at Block 1003) prior to scanning the published tag (asindicated at Block E1004), such that the program directly receives thedata received by the scanner. In such embodiments, the software programmay request the user to provide identification data upon launchingand/or initiating the software program (e.g., before scanning thepublished tag), and/or the software program may be configured to receivethe published tag (e.g., via the scanner) before requiring the user toprovide user identification data. Thus, the software program may beconfigured to permit users to quickly access the scanner and receivepublished tags, particularly in instances in which the published tagsare transient in nature (e.g., the published tag is a sound biteassociated with a 30-second television commercial, the published tag isa large QR code on a billboard adjacent a highway or other lane oftravel, and/or the like). However, the order of steps illustrated inFIG. 5 should not be considered limiting. For example, in variousembodiments, the scanning of a published tag may cause the mobile device300 to launch and/or initiate the installed software program (therebyreversing the order of steps indicated by Blocks 1003 and 1004), whichthen requests the user 1 to provide identification data prior to and/orafter determining whether the received published tag is associated withone or more services that may be associated with the user account.

In various embodiments, the published tag may itself comprise dataindicating that the published tag is associated with a service that maybe associated with a user account. However, in other embodiments, themobile device 300 may be configured to transmit data indicative of thepublished tag to the secure management entity 3 which is configured todetermine whether the published tag is associated with a service thatmay be associated with a user account. Accordingly, such determinationmay be made locally (e.g., on the mobile device) and/or aftertransmitting data indicative of the published tag to the securemanagement entity 3 from the mobile device 300.

Upon a determination that the published tag is associated with a servicethat itself may be associated with a user account, a unique key 7 may begenerated, as indicated at Block 1005, comprising data indicative of theservice associated with published tag and data indicative of the useridentity (e.g., the mobile device identifier, a user identifier, and/orthe like). In various embodiments, the mobile device 300 may beconfigured to generate the unique key 7 locally, without interactionwith the secure management entity 3. In such embodiments, the unique key7 may comprise data indicative of the service and data indicative of theuser's identity and/or the software identifier associated with themobile device 300. In various embodiments, the unique key 7 generated bythe mobile device 300 may be encrypted, as indicated at Block E10051(e.g., using any of the encryption methodologies described herein, suchas symmetrical cryptography, hashing, digital signature, exchange ofkeys, etc.), and/or unencrypted. As discussed herein, the user 1 maythen present the mobile device 300 with the unique key 7 to a localcomputing device to access the services associated with the publishedtag.

In various embodiments, the mobile device 300 may be configured totransmit data indicative of the published tag and the user's identityand/or the mobile device identity (e.g., the software identifier and/orat least a portion of the user identification data) to the securemanagement entity 3, which is configured to generate a unique key 7 forthe user 1. Thus, for example, after the user 1 utilizes the mobiledevice 300 to scan the published tag and provides identification data,the mobile device 300 transmits the data indicative of the published tagand the identification data (e.g., the software identifier and/or atleast a portion of the user identification data) to the securemanagement entity 3, which generates a unique key 7, and transmits thegenerated unique key 7 back to the mobile device 300 for storage and useby the user 1. In such embodiments, the user 1 may then present theunique key 7 generated by the secure management entity 3 to a localcomputing device to access the services associated with the publishedtag. In such embodiments, the secure management entity 3 may beconfigured to generate a unique key to be associated with the mobiledevice 300, and may generate a unique key 7 incorporating the generatedunique key that is then transmitted to the mobile device 300. The mobiledevice 300 may then store the unique key 7 comprising the generatedunique key.

In various embodiments, upon receipt of incorrect user identificationdata, the mobile device 300 and/or the secure management entity 3 may beconfigured to generate an invalid unique key 7. Similar to thatdescribed above, the invalid unique key 7 may be similar to a validunique key 7, however, upon presentation of the invalid unique key 7 toa local computing device, the local computing device and/or the securemanagement entity 3 may determine that the unique key 7 is invalid anddoes not provide access to any services.

As discussed above, access to the one or more services associated withthe published tag may be limited, and accordingly a computing entity(e.g., the mobile device 300 and/or the secure management entity 3) maybe configured to determine whether access to the services may beprovided to the user 1 after receiving data indicative of a scannedpublished tag. In various embodiments, after scanning the published tag,but before generation of the unique key 7 for the user 1, the mobiledevice 300 and/or the secure management entity 3 may be configured todetermine whether services are available to the user 1. For example, themobile device 300 and/or the secure management entity 3 may beconfigured to determine whether access to the services associated withthe published tag has expired (e.g., when an expiration date and/or timeis associated with the published tag), whether access to the servicesassociated with the published tag has been exhausted (e.g., when amaximum number of scans and/or uses of the published tag and/or theassociated services has been associated with the published tag), and/orthe like. In various embodiments, such a determination may be made bythe secure management entity 3 after the mobile device 300 transmitsdata indicative of the published tag, the user identification data,and/or the software identifier to the secure management entity 3.

However, in various embodiments, a determination of whether access isavailable to the user 1 may be made after the unique key 7 has beengenerated (e.g., by the mobile device 300 and/or by the securemanagement entity 3). For example, a determination of whether accessshould be granted to the user 1 to services associated with thepublished tag may be made when the user 1 presents the generated uniquekey 7 to a local computing device. Such embodiments enable the mobiledevice 300 to generate the unique key 7 without any interaction with thesecure management entity 3, which may require a data communicationbetween the mobile device 300 and the secure management entity 3. Forexample, a user 1 may use the mobile device 300 to scan a published tagand may enter user identification data into the mobile device 300. Themobile device 300 may then generate a unique key 7 locally, withoutinteraction with the secure management entity 3. The user 1 may thenpresent the unique key 7 on the mobile device 300 to a local computingdevice (e.g., by the local computing device scanning the unique key,using, for example, a bar code scanner, microphone, NFC reader, RFIDreader, camera, and/or the like). The local computing device may thentransmit the unique key 7 to the secure management entity 3 (e.g., viaan Application Program Interface (API)), which may determine whether theunique key 7 enables access to one or more services. For example, an APImay be generated and provided by the secure management entity 3 that isconfigured to obtain data from the local computing device and transmitthe date to the secure management entity 3 in a format suitable for useby the secure management entity 3. For example, the local computingdevice may provide data indicative of received unique keys to the API,which may then provide such data to the secure management entity 3. Upondetermination by the secure management entity 3 that the user 1 isauthorized to receive one or more requested services, the securemanagement entity 3 may transmit data indicative of the determinedauthorization to the local computing device via the API. In variousembodiments, the determination of whether the user 1 is authorized toreceive one or more requested services may be made at least in part by athird party computing entity. In such embodiments, upon receipt of dataindicative of the unique key 7 from the local computing device, thesecure management entity 3 may be configured to transmit at least aportion of the received data to the third party computing entity. Thethird party computing entity may then determine whether the dataindicates that the user 1 is authorized to receive one or more of therequested services (e.g., by comparing data received from the securemanagement entity 1 against stored data indicative of criteria toreceive the one or more services), and may transmit data indicative ofwhether the user 1 is authorized to receive one or more of the requestedservices to the secure management entity 3.

In various embodiments, a determination of whether the unique key 7enables access to one or more services may comprise decrypting theunique key 7 (if encrypted), as indicated at Block E1006 and determiningif the contained data indicative of the scanned published tag enablesaccess to the services (e.g., determining whether a promotion associatedwith the published tag has expired or is exhausted) and if the containeddata indicative of the user identity is valid and associated with a useraccount. In various embodiments, as noted above, decryption of theunique key 7 may comprise using a public key and/or another decryptionalgorithm (as indicated at Block E10061) to decrypt the unique key 7.Upon a determination that both the data indicative of the published tagand the data indicative of the user identifier and/or the softwareidentifier are valid (as indicated at Block E1007), the securemanagement entity 3 may permit access to the associated services, asindicated at Block E1008. For example, the secure management entity 3may transmit data to the local computing device indicating that theservices are to be provided to the user 1 (e.g., entry to an event,application of a discount to a purchase, and/or the like). However, upona determination that data contained in the unique key 7, such as theuser identification data and/or the software identifier, the securemanagement entity 3 may not permit authorization to the one or moreservices, as indicated by Block E1009.

Moreover, data indicative of the services provided to the user 1 may bestored in association with the user account associated with the user 1.Thus, for example, a log may be generated and maintained comprising dataindicative of one or more redemptions and/or uses of keys associatedwith published tags for each user. The data stored in association withthe user account may comprise time of use of the unique key 7, number ofuses of the unique key 7 (or related unique keys corresponding to one ormore common services), services provided to the user 1, products and/orservices purchased during the transaction involving the unique key 7,warranty information related to products and/or services purchasedduring the transaction involving the unique key 7, location of use ofthe unique key 7, published tag scanned to receive the unique key 7,and/or the like.

Thus, the secure management entity 3 and/or a third party computingentity in communication with the secure management entity 3 may beconfigured to store (e.g., in one or more databases) data indicative ofvarious uses and/or scans of published tags. For example, the securemanagement entity 3 may store data indicating that a particularpublished tag has been scanned (e.g., when the secure management entity3 receives data indicative of the published tag from a mobile device300), data indicating that a particular unique key 7 associated with apublished tag has been used or generated, and/or the like. The storeddata may be anonymous (e.g., not associated with user identificationdata and/or a user account) and/or may be associated with particularuser accounts. Moreover, by maintaining stored data indicative of accessto various services, the secure management entity 3 may be configured tolimit access to the one or more services according to various criteria.In various embodiments, the criteria may be stored in one or moredatabases in association with the secure management entity 3 and/or maybe stored in one or more databases managed and associated with thirdparty entities and/or service providers. Example criteria may comprise:(1) a maximum number of times a user 1 may obtain access to servicesassociated with a published tag; (2) a time duration after scanning thepublished tag during which a unique key 7 remains valid; (3) a maximumnumber of users 1 who may receive access to services associated with apublished tag; (4) a minimum number of users 1 who may scan thepublished tag before access to services is permitted; (5) a date rangeduring which access to the services associated with the published tag isavailable; and/or the like. For example, each user 1 may be permitted toaccess services associated with a particular published tag only apredefined number of times (e.g., only one discount per user). Invarious embodiments, the criteria may be based at least in part on userinput received from a service provider in establishing a promotion, asdescribed herein.

Moreover, services to be provided to users 1 may be dependent at leastin part on attributes of the use of a unique key 7 associated with aparticular published tag. For example, different services may beprovided to a user 1 depending on attributes of the use of the uniquekey associated with a particular published tag. For example, theservices to be provided to a user 1 may depend at least in part on (1)the number of times a user 1 scans a published tag; (2) the number oftimes a user 1 requests generation of a unique key 7 associated with apublished tag; (3) the time at which the user 1 scans the published tag(e.g., time of day, day of week, day of year, and/or the like); (4) thetime at which the user 1 presents a unique key associated with thepublished tag (e.g., time of day, day of week, day of year, and/or thelike); and/or the like. As a non-limiting example, a user 1 may obtainincreasing discounts for each subsequent scan of a particular publishedtag.

Moreover, in various embodiments the secure management entity 3 may beconfigured to prevent substantially simultaneous presentation of aunique key 7 generated and stored on multiple mobile devices 300. Forexample, for a user account associated with multiple mobile devices 300,a single unique key 7 (and/or multiple unique keys 7 corresponding tothe same service and/or the same published tag scan) may be generatedand associated with the user account, and may be disseminated to each ofthe mobile devices 300 associated with the user account. In suchembodiments, upon a determination that one of the mobile devices 300 isbeing used to redeem a unique key 7, the secure management entity 3 maytransmit data to the remaining mobile devices 300 (e.g., via a wirelesscommunication network) blocking use of the unique key 7. For example,the unique keys 7 may be blocked visually by overlaying a visuallyopaque object (e.g., a virtual object displayed via a display device ofthe mobile device) over the unique key 7, by preventing transmission ofthe unique key (e.g., via NFC, sound transmission, and/or the like),and/or the like. In various embodiments, upon initial receipt of dataindicating that a particular unique key 7 has been presented to a localcomputing device, the secure management entity 3 may be configured toidentify an associated user account (if any) and transmit data to mobiledevices 300 associated with the user account instructing the mobiledevices 300 to block and/or otherwise prevent presentation of the uniquekey 7. For example, the secure management entity 3 may be configured toreceive data indicating that a particular unique key 7 has beenpresented to a local computing device from the local computing device.Alternatively, the secure management entity 3 may be configured toreceive data indicating that a unique key 7 is being accessed and/orbeing presented to a local computing device from the mobile device 300,for example, upon a determination that the mobile device 300 ispresenting (e.g., displaying and/or broadcasting) the unique key 7.

Upon a determination that redemption of the unique key 7 is complete,and/or upon a determination that the mobile device 300 is no longerpresenting and/or broadcasting the unique key 7, the secure managemententity 3 may be configured to transmit data to the mobile devices 300associated with the user account to instruct the mobile devices 300 topermit presentation and/or broadcasting of the unique key 7.

Example Use Case

An example use case of the method described herein in reference to FIG.5 will now be presented. According to the embodiment described herein,an advertisement containing a published tag may be generated andpublished by a service provider. The advertisement may include textand/or images providing a description of a promotion provided by aservice provider, and may comprise a published tag (e.g., a bar code, QRcode, RFID tag, NFC transmitter device, and/or the like). As notedabove, the published tag may comprise data indicating that one or moreservices are available that may be associated with a user account. As aspecific example, the advertisement and the associated tag may indicatethat a user may receive a coupon redeemable for a 20% discount on apurchase at Merchant A.

The user 1, upon seeing the advertisement, may use the user's mobiledevice 300 (e.g., a mobile phone) to scan and/or otherwise read thepublished tag from the advertisement. In various embodiments, the user 1may open a specific program application installed on the mobile device300, and may use executable portions of the software included therein toscan or otherwise read the published tag. Alternatively, as noted above,a user 1 may use any of a variety of software and/or firmware installedon the mobile device 300 to read the tag (e.g., via a scanner associatedwith the mobile device 300), which may cause the software application tolaunch and/or otherwise initiate to receive the data associated with thepublished tag. Thus, as a specific example, the user 1 may scan a QRcode on the published advertisement in an effort to obtain the 20%discount coupon for Merchant A.

The mobile device 300 may additionally receive user input providing useridentification data to be provided to the software application. Forexample, the user 1 may provide a password, a biometric scan, and/or thelike to verify the user's identity. As discussed herein, the mobiledevice 300 may be configured to only generate a unique key 7 and/orretrieve a unique key 7 configured to authorize receipt of one or moreservices stored in memory after verifying the received useridentification data. After receiving data indicative of a published tagand the user identification data, a unique key 7 may be generated forthe user. In various embodiments, the mobile device 300 generates theunique key incorporating data indicative of the scanned published tag,data indicative of the user's identity, and/or data indicative of asoftware identifier corresponding to the mobile device 300. In variousembodiments, the mobile device 300 transmits data indicative of thepublished tag, the user's identity, and/or the mobile device identity tothe secure management entity 3, which may generate a unique key 7 thatis then transmitted back to the mobile device 300 for storage in memoryassociated with the mobile device 300. In various embodiments, at leasta portion of the data of the unique key 7 is encrypted such that onlythe mobile device 300 and/or the secure management entity 3 may decryptthe data included in the unique key 7. Thus, continuing the aboveexample, after the user 1 scans the published tag regarding the 20%discount for Merchant A and provides identification data verifying theuser's identity, the user is presented with a unique key 7 (e.g., a QRcode, an NFC data broadcast, and/or the like) that the user may thenpresent to a local computing device when making a purchase at MerchantA.

When attempting to redeem and/or otherwise request the servicesassociated with the generated unique key 7, the user 1 may present theunique key 7 to a local computing device (e.g., after providing userinput indicative of user identification data). The local computingdevice may receive the unique key 7 (e.g., by scanning the unique key 7displayed on the screen of the mobile device 300), and may transmit dataindicative of the unique key 7 to the secure management entity 3 (e.g.,via an API). The secure management entity 3 may then decrypt the data ofthe unique key 7 (if encrypted), and may determine whether the uniquekey 7 corresponds to a particular user account. For example, the securemanagement entity 3 may verify that the provided user identificationdata is correct. Moreover, the secure management entity 3 may determinewhether the requested services should be provided to the user 1 bycomparing data associated with the published tag (identified based atleast in part on a portion of the data of the unique key 7) againstattributes of the presentation of the unique key 7 for the user 1. Forexample, the secure management entity 3 may determine whether thepromotion associated with the published tag has expired, has beenexhausted (either by a plurality of users or by the user 1 presentingthe unique key) and/or the like. Upon a determination that the promotionis available for the user 1, the secure management entity 3 providesconfirmation data to the local computing device, which may enable thepromotion to be applied to the user's purchase. With reference to theabove example, when the user 1 presents the unique key 7 during apurchase transaction with Merchant A, the local computing device scansthe unique key 7 and transmits the unique key 7 to the secure managemententity 3 to determine whether the user 1 should receive the promotion.The secure management entity 3 may verify the user's identity, whetherthe promotion has expired or has been exhausted (e.g., by the user 1presenting a unique key more than a maximum number of times) and/or thelike. Upon determining that the user's purchase qualifies for thepromotion, the secure management entity 3 transmits confirmation data tothe local computing device, which may then apply the 20% promotionaldiscount to the user's purchase.

After using the promotion, the secure management entity 3 may receiveusage data from the local computing device indicative of the use of thepromotion by the user 1. The secure management entity 3 and/or a thirdparty computing system in communication with the secure managemententity 3 may store this data in a usage log in association with theuser's account. As previously noted, the secure management entity 3 mayutilize this data during later determinations of whether the user 1qualifies to use a unique key 7 in the future. Moreover, the usage datamay be available to the user 1 (e.g., via accessing the user account)and may provide the user 1 with data corresponding to the use of aunique key 7. With reference to the prior example, after making apurchase at Merchant A using a unique key 7, the user 1 may later accessthe user's account to retrieve data corresponding to the purchasetransaction. For example, the user 1 may retrieve a digital purchasereceipt, warranty information for purchased items, and/or the like.

CONCLUSION

Many modifications and other embodiments of the inventions set forthherein will come to mind to one skilled in the art to which theseinventions pertain having the benefit of the teachings presented in theforegoing descriptions and the associated drawings. Therefore, it is tobe understood that the inventions are not to be limited to the specificembodiments disclosed and that modifications and other embodiments areintended to be included within the scope of the appended claims.Although specific terms are employed herein, they are used in a genericand descriptive sense only and not for purposes of limitation.

That which is claimed:
 1. A computer-implemented method enabling accessto one or more services, the method comprising: receiving published tagdata and user identification data, wherein the published tag datacorresponds to one or more services offered to users; determiningwhether the services corresponding to the published tag data isavailable for users; generating a unique key comprising data indicativeof the published tag data and data indicative of the user identificationdata; and transmitting the unique key to a mobile device of a user,wherein the mobile device is configured to provide the unique key uponreceipt of a request to access the one or more services corresponding tothe published tag.
 2. The method of claim 1, further comprising:receiving the unique key during a request to access the one or moreservices; decoding data contained in the unique key; and enabling or notenabling the user to access the one or more services according to thedecoded data.
 3. The method of claim 1, wherein the published tag dataand the user identification data are received from the mobile device ofthe user, and wherein the published tag data is scanned by the mobiledevice.
 4. The method of claim 1, wherein the unique key is selectedfrom the group consisting of: an image, a sound, a Near FieldCommunication data signal, or a string of alphanumeric characters. 5.The method of claim 1, wherein generating the unique key comprisesencrypting at least a portion of the data contained in the unique key.6. The method of claim 5, wherein encrypting at least a portion of thedata contained in the unique key comprises applying a public keyencryption algorithm.
 7. The method of claim 1, wherein the useridentification data comprises a software application identifierassociated with the mobile device.
 8. The method of claim 2, whereindetermining whether the services corresponding to the unique key areavailable comprises comparing attributes of the request to access theone or more services against requirement data associated with the one ormore services.
 9. The method of claim 8, wherein the attributes of therequest to access the one or more services comprise at least one of: atime of the request, a number of times the one or more services havebeen accessed, or a number of times the user has requested the one ormore services.
 10. A system for enabling access to one or more services,the system comprising: one or more memory storage areas; and one or morecomputer processors configured to: receive published tag data and useridentification data, wherein the published tag data corresponds to oneor more services offered to users; determine whether the servicescorresponding to the published tag data is available for users; generatea unique key comprising data indicative of the published tag data anddata indicative of the user identification data; and transmit the uniquekey to a mobile device of a user, wherein the mobile device isconfigured to provide the unique key upon receipt of a request to accessthe one or more services corresponding to the published tag.
 11. Thesystem of claim 10, wherein the one or more processors are furtherconfigured to: receive the unique key during a request to access the oneor more services; decode data contained in the unique key; and enable ornot enabling the user to access the one or more services according tothe decoded data.
 12. The system of claim 10, wherein the published tagdata and the user identification data are received from the mobiledevice of the user, and wherein the published tag data is scanned by themobile device.
 13. The system of claim 10, wherein the unique key isselected from the group consisting of: an image, a sound, a Near FieldCommunication data signal, or a string of alphanumeric characters. 14.The system of claim 10, wherein generating the unique key comprisesencrypting at least a portion of the data contained in the unique key.15. The system of claim 14, wherein encrypting at least a portion of thedata contained in the unique key comprises applying a public keyencryption algorithm.
 16. The system of claim 10, wherein the useridentification data comprises a software application identifierassociated with the mobile device.
 17. The system of claim 11, whereindetermining whether the services corresponding to the unique key areavailable comprises comparing attributes of the request to access theone or more services against requirement data associated with the one ormore services.
 18. The system of claim 17, wherein the attributes of therequest to access the one or more services comprise at least one of: atime of the request, a number of times the one or more services havebeen accessed, or a number of times the user has requested the one ormore services.
 19. A computer program product comprising at least onenon-transitory computer-readable storage medium having computer-readableprogram code portions stored therein, the computer-readable program codeportions comprising: an executable portion configured to receivepublished tag data and user identification data, wherein the publishedtag data corresponds to one or more services offered to users; anexecutable portion configured to determine whether the servicescorresponding to the published tag data is available for users; anexecutable portion configured to generate a unique key comprising dataindicative of the published tag data and data indicative of the useridentification data; and an executable portion configured to transmitthe unique key to a mobile device of a user, wherein the mobile deviceis configured to provide the unique key upon receipt of a request toaccess the one or more services corresponding to the published tag.